STIGQter STIGQter: STIG Summary: Oracle Linux 5 Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 26 Oct 2018: If the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.

DISA Rule

SV-63355r3_rule

Vulnerability Number

V-24384

Group Title

GEN008050

Rule Version

GEN008050

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit the "/etc/ldap.conf" file to use anonymous binding by removing the "bindpw" option.

Check Contents

Verify LDAP is running on the system. To check to see if the system is an LDAP server run:

# ps -ef | grep ldap

Find out which LDAP is used (if not determined via the command above).

# rpm -qa | grep ldap

If using nssldap:

# grep base /etc/ldap.conf

Check to see if the base is set to something besides the default of "dc=example,dc=com".

If using openldap:

# grep suffix /etc/openldap/slapd.conf

Check whether the system is an LDAP client:

# grep server /etc/ldap.conf
# grep server /etc/openldap/ldap.conf

Check whether the server option has an address other than the loopback, then check the nsswitch.conf file:

# grep ldap /etc/nsswitch.conf

Look for the following three lines:

passwd: files ldap
shadow: files ldap
group: files ldap

If all three files are not configured to look for an LDAP source, then the system is not using LDAP for authentication.

If the system is not using LDAP for authentication, this is not applicable.

Check for the "bindpw" option being used in the "/etc/ldap.conf" file.

# grep bindpw /etc/ldap.conf

If an uncommented "bindpw" option is returned, then a clear text password is in the file, and this is a finding.

Vulnerability Number

V-24384

Documentable

False

Rule Version

GEN008050

Severity Override Guidance

Verify LDAP is running on the system. To check to see if the system is an LDAP server run:

# ps -ef | grep ldap

Find out which LDAP is used (if not determined via the command above).

# rpm -qa | grep ldap

If using nssldap:

# grep base /etc/ldap.conf

Check to see if the base is set to something besides the default of "dc=example,dc=com".

If using openldap:

# grep suffix /etc/openldap/slapd.conf

Check whether the system is an LDAP client:

# grep server /etc/ldap.conf
# grep server /etc/openldap/ldap.conf

Check whether the server option has an address other than the loopback, then check the nsswitch.conf file:

# grep ldap /etc/nsswitch.conf

Look for the following three lines:

passwd: files ldap
shadow: files ldap
group: files ldap

If all three files are not configured to look for an LDAP source, then the system is not using LDAP for authentication.

If the system is not using LDAP for authentication, this is not applicable.

Check for the "bindpw" option being used in the "/etc/ldap.conf" file.

# grep bindpw /etc/ldap.conf

If an uncommented "bindpw" option is returned, then a clear text password is in the file, and this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

2207

Comments